[ic] No User Name / Password Needed for Admin Area

[Jon Jensen]

On Fri, 8 Jun 2001, Christopher VanOosterhout wrote:

> I originally installed Interchange about five months ago.  Using the
> version then available from Akopia.
>
> It included the construct template.
>
> However, once I installed the program I created a store using the
> instructions in the Akopia document called: "Interchange: Catalog--Building
> Tutorial."

You mean you used the catalog tutorial for a *real* store? Instead of
construct? The tutorial was never meant to be the basis for a real store.
Nobody's ever audited it for security, it doesn't encrypt orders, etc.
etc. I thought we made ample warning about that in the tutorial. I guess
we'll have to warn louder. But congratulations on building a store from
such humble beginnings. :)

> Is the admin area automatically open by default?
>
> I notice when I try to get into the admin area of the construct store on
> the same server it asks me for a user name and password.  However if the
> /admin/index.html gets tacked on to the end of one of the other stores, it
> allows people into the area without asking for a user name and password.

It looks like you've found a new security vulnerability. If the access
database does not exist (is not defined at all by catalog.cfg or its
includes), then you get wide-open access.

About the only way you'd find yourself in this situation is by building a
catalog from scratch but leaving the admin UI enabled.

> Eventually I would possibly like to use the admin area, however right now
> ... especially if it allows anyone in to alter it ... I would like to
> disconnect it or cover it by a password.

You should go into interchange.cfg right away and comment out "Variable
UI 1" by putting '#' at the beginning of the line. Then restart and make
sure the admin is no longer available.

In the future I think we'll have the admin pages deny access if there's no
access database at all.

Jon